[X4U] Serious OS X Security Vulnerability

DZ-Jay dz at caribe.net
Thu Apr 7 12:00:11 PDT 2005 

Hello:
	I would further add that I would like to hear Apple's position on this 
issue, and not just a transient comment like "Apple does not feel this 
is an issue".

	Consider this.  A few months ago, someone announced a security bug in 
every IDN-enabled web browser (Opera, Mozilla, FireFox, among others), 
and claimed that of all developers contacted, Opera Software brushed it 
off as "its not our problem", while the Mozilla Foundation was quickly 
working on a fix.  As it turned out, the IDN "issue" was known by the 
designers of the International Domain Name system, and in fact, was part 
of its implementation; and the Mozilla Foundation was ridiculed for its 
over-eagerness in implementing a "fix" in haste that actually crippled 
the IDN implementation of the browser.  When Opera's position was 
publicized, it turned out that they had explained, correctly, that the 
"issue" was part of the IDN design, and that their implementation 
followed it as intended; and that the Opera browser, being used in other 
countries other than the USA (many with non-roman characters), worked 
properly and no "fix" was needed.

	I mention this as an example of how security issues can be over-stated, 
and how developer's reactions can be miscommunicated and downplayed.

	dZ.

Eugene wrote:
> On Thu, Apr 07, 2005 at 10:43:06AM -0700, Randy B.Singer <randy at macattorney.com> wrote:
> : 
> : DZ-Jay said:
> : 
> : >Quotes from the response:
> : >"Explain to me how this is a MacOS specific bug? I can duplicate this
> : >behavior on my debian linux machine."
> : 
> : My reponse to that is, who cares?  A Macintosh security problem isn't 
> : less of a problem if it affects computers other than the Macintosh.
> : 
> : Nothing in the response indicates that this isn't a serious security 
> : problem or that using this security hole a Trojan cannot gain root access 
> : without user authentication.  
> 
> Yes, it's a minor security issue.  No, it's not a major security issue.
> The problem is that the report specifically targets OS X when in fact it
> affects all Unix distributions that ship with sudo enabled.  That's like
> running out and saying that Jehovah's Witnesses actually curse and it's
> a major problem, when in reality *everyone* curses and it's really just
> a minor problem compared to other issues like poverty, world hunger,
> rampant AIDS in developing and developed nations, and the current trend
> of extremists dictating world policy.  It's also like all of those
> security vendors out there saying the sky is falling and that OS X is
> vulnerable to cross-platform viruses and Trojan horses and other nasty
> things, even though OS X is already pretty secure and there hasn't been
> a case of such nasty things being found in the wild.
> 
>

More information about the X4U mailing list